Data protection is an important issue in the countries in which Vertec operates. The relevant rules are set out in the DSGVO in the EU and in the DSG defined in Switzerland. As a software manufacturer and cloud operator, we are of course very directly affected, because we process some of the data that is owned by the customers. This topic is therefore also very important to us.
On this page, we would like to explain to leads, customers and partners of Vertec what our specific position is with regard to data protection at Vertec. One of the first principles we follow is that we handle data protection not only “formally,” as we see it with many others, but also quite “concrete”. Of course, the standards prescribe certain formalities that we must comply with. But often such formalities do not increase the level of data protection at all (but only reduce one’s own legal risk). That is not our rate.
For us, “Datum protection concretely” means that we take the subject of “Information security” very seriously – so seriously that since 2013 we have successfully had our information security management system (ISMS) certified according to ISO 27001. We guarantee our customers (via the “Order Data Processing Regulation”) that we will maintain this certificate.
“Information security” goes beyond “data protection”. “Datum protection” only concerns data from and about natural persons (so-called “personal data”), i.e. people. However, we ourselves and our customers have much more data that is very worthy of protection that does not fall under “data protection,” such as customer lists or sales with the largest customers. “Information security” concerns all data worthy of protection, not only those protected by “data protection”.
The Zertifizierung nach ISO 27001 means that we assess risks for all significant information “assets” according to the three dimensions of “confidentiality,” “availability” and “integrity”. Whether our Cloud Suite is running and our customers can use it is not a matter of data protection, but of course information security in the area of “availability”. Clearly assigned asset responsibilities ensure that each asset is looked after. Those responsible are also responsible for managing the risks and, if the level of risk is judged to be unacceptable, for implementing measures to reduce the risks. This can be compared to “TOMs” under the General Data Protection Regulation (GDPR). But it goes beyond that, because it is not only about data protection, and according to the ISO standard you are also obliged to continuously increase information security.
Some examples of what we do in the context of ISO 27001 certification:
ISMS and the clear thinking in assets also help us to keep track of data protection. Whenever possible, we try not to collect data in the first place – because data that you don’t have does not need to be protected. A good example of this is our own website, where we waive all consent-based tracking.
But, of course, we cannot avoid being exposed to data that is subject to privacy. The most prominent example is certainly the Vertec Cloud Suite, where we run Vertec in the cloud for our customers. In this case, in addition to the AGB nor the “Regulation on order data processing,” in which it is executed, in which case we become an order data processor in the first place and how we deal with it. For the Cloud Suite operation, we also use subcontractors. We list these companies together with their purpose of use on the page Sublieferanten on.
In addition, we naturally collect data that is necessary for order processing (e.g. customer orders) or to ensure service quality. For example, we document all support requests in writing. However, in no case do such data contain particularly sensitive personal data within the meaning of data protection.